Which processes are legitimate?

S

SANTANDER

Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB
virus. My antivirus show some executable files where infected, aalso when
browse web with Internet Explorer, windows periodically popup error mesages
called RUNDLL:
"Error loading C:\Windows\AppPatch\Jview.dll
The specified module could not be found."
(I use Firefox by default).

After running whole computer scan, NOD32 isolated the infected files in a
Quarantine folder. I removed the Jview.dll
As far I know, Win32/Alman.NAD is infector, downloader and it has got his
own driver. If it sit inside some legit process (IE), then it will add new
registry key again. Then removing will be harder.
Then I run HijackThis utility, and got the following report, I looked
through the logfile, but I'm not sure which processess and keys are
legitimate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03:59, on 2008.06.25.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 89.251.147.134:6328
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32
Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] C:\Program
Files\HooTech\NetMeter\HooNetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default
user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program
Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} -
C:\WINDOWS\AppPatch\Jview.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program
Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32
Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3672 bytes
------------------------------------

In addition, I run DOS utility showing drivers in my system:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User> drivers
Drivers - DiamondCS Freeware Console Tools (www.diamondcs.com.au)
---
ADDRESS: IMAGE PATH:
804D7000: \WINDOWS\system32\ntoskrnl.exe
806EC000: \WINDOWS\system32\hal.dll
F7AD6000: \WINDOWS\system32\KDCOM.DLL
F79E6000: \WINDOWS\system32\BOOTVID.dll
F7587000: ACPI.sys
F7AD8000: \WINDOWS\System32\DRIVERS\WMILIB.SYS
F7576000: pci.sys
F75D6000: isapnp.sys
F7B9E000: pciide.sys
F7856000: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
F7ADA000: intelide.sys
F75E6000: MountMgr.sys
F7557000: ftdisk.sys
F785E000: PartMgr.sys
F75F6000: VolSnap.sys
F753F000: atapi.sys
F7606000: disk.sys
F7616000: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
F751F000: fltmgr.sys
F750D000: sr.sys
F74F6000: KSecDD.sys
F7469000: Ntfs.sys
F743C000: NDIS.sys
F7421000: Mup.sys
F6BE3000: \SystemRoot\System32\DRIVERS\intelppm.sys
F6BAC000: \SystemRoot\System32\DRIVERS\ialmnt5.sys
F6B98000: \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
F7926000: \SystemRoot\System32\DRIVERS\usbuhci.sys
F6B75000: \SystemRoot\System32\DRIVERS\USBPORT.SYS
F792E000: \SystemRoot\System32\DRIVERS\usbehci.sys
F7936000: \SystemRoot\System32\DRIVERS\RTL8139.SYS
F6BD3000: \SystemRoot\System32\DRIVERS\i8042prt.sys
F793E000: \SystemRoot\System32\DRIVERS\mouclass.sys
F7946000: \SystemRoot\System32\DRIVERS\kbdclass.sys
F6BC3000: \SystemRoot\System32\DRIVERS\imapi.sys
F7646000: \SystemRoot\System32\DRIVERS\cdrom.sys
F7656000: \SystemRoot\System32\DRIVERS\redbook.sys
F6B52000: \SystemRoot\System32\DRIVERS\ks.sys
F6A8B000: \SystemRoot\system32\drivers\cmuda.sys
F6A67000: \SystemRoot\system32\drivers\portcls.sys
F7666000: \SystemRoot\system32\drivers\drmk.sys
F794E000: \SystemRoot\System32\DRIVERS\fdc.sys
F7676000: \SystemRoot\System32\DRIVERS\serial.sys
F7AAE000: \SystemRoot\System32\DRIVERS\serenum.sys
F7956000: \SystemRoot\System32\DRIVERS\irsir.sys
F7AB2000: \SystemRoot\System32\DRIVERS\irenum.sys
F6A53000: \SystemRoot\System32\DRIVERS\parport.sys
F7ABA000: \SystemRoot\System32\DRIVERS\gameenum.sys
F7C58000: \SystemRoot\system32\drivers\msmpu401.sys
F7C59000: \SystemRoot\System32\DRIVERS\audstub.sys
F795E000: \SystemRoot\System32\DRIVERS\rasirda.sys
F7966000: \SystemRoot\System32\DRIVERS\TDI.SYS
F7686000: \SystemRoot\System32\DRIVERS\rasl2tp.sys
F7AC2000: \SystemRoot\System32\DRIVERS\ndistapi.sys
F6A3C000: \SystemRoot\System32\DRIVERS\ndiswan.sys
F7696000: \SystemRoot\System32\DRIVERS\raspppoe.sys
F76A6000: \SystemRoot\System32\DRIVERS\raspptp.sys
F6A2B000: \SystemRoot\System32\DRIVERS\psched.sys
F76B6000: \SystemRoot\System32\DRIVERS\msgpc.sys
F796E000: \SystemRoot\System32\DRIVERS\ptilink.sys
F7976000: \SystemRoot\System32\DRIVERS\raspti.sys
F76C6000: \SystemRoot\System32\DRIVERS\termdd.sys
F7B02000: \SystemRoot\System32\DRIVERS\swenum.sys
F6996000: \SystemRoot\System32\DRIVERS\update.sys
F7ACE000: \SystemRoot\System32\DRIVERS\mssmbios.sys
EE902000: \SystemRoot\system32\drivers\ialmkchw.sys
EE8E6000: \SystemRoot\system32\drivers\ialmsbw.sys
F76E6000: \SystemRoot\System32\Drivers\NDProxy.SYS
F7706000: \SystemRoot\System32\DRIVERS\usbhub.sys
F7B04000: \SystemRoot\System32\DRIVERS\USBD.SYS
F797E000: \SystemRoot\System32\DRIVERS\flpydisk.sys
F7B06000: \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7CD7000: \SystemRoot\System32\Drivers\Null.SYS
F7B08000: \SystemRoot\System32\Drivers\Beep.SYS
F798E000: \SystemRoot\System32\drivers\vga.sys
F7B0A000: \SystemRoot\System32\Drivers\mnmdd.SYS
F7B0C000: \SystemRoot\System32\DRIVERS\RDPCDD.sys
F7996000: \SystemRoot\System32\Drivers\Msfs.SYS
F799E000: \SystemRoot\System32\Drivers\Npfs.SYS
F7A66000: \SystemRoot\System32\DRIVERS\rasacd.sys
EE863000: \SystemRoot\System32\DRIVERS\ipsec.sys
EE80B000: \SystemRoot\System32\DRIVERS\tcpip.sys
EE7E3000: \SystemRoot\System32\DRIVERS\netbt.sys
F7726000: \SystemRoot\system32\DRIVERS\epfwtdir.sys
EE7C1000: \SystemRoot\System32\drivers\afd.sys
F7736000: \SystemRoot\System32\DRIVERS\netbios.sys
EE796000: \SystemRoot\System32\DRIVERS\rdbss.sys
EE727000: \SystemRoot\System32\DRIVERS\mrxsmb.sys
F7756000: \SystemRoot\System32\Drivers\Fips.SYS
EE706000: \SystemRoot\System32\DRIVERS\ipnat.sys
F7766000: \SystemRoot\System32\DRIVERS\wanarp.sys
F7776000: \SystemRoot\system32\DRIVERS\easdrv.sys
F77C6000: \SystemRoot\System32\Drivers\Cdfs.SYS
EE6C6000: \SystemRoot\System32\Drivers\dump_atapi.sys
F7B14000: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000: \SystemRoot\System32\win32k.sys
EE8D2000: \SystemRoot\System32\drivers\Dxapi.sys
F79CE000: \SystemRoot\System32\watchdog.sys
BF9C3000: \SystemRoot\System32\drivers\dxg.sys
F7BBC000: \SystemRoot\System32\drivers\dxgthk.sys
BF9E2000: \SystemRoot\System32\ialmdnt5.dll
BF9D5000: \SystemRoot\System32\ialmrnt5.dll
BFA04000: \SystemRoot\System32\ialmdev5.DLL
BFA32000: \SystemRoot\System32\ialmdd5.DLL
BFFA0000: \SystemRoot\System32\ATMFD.DLL
EE4A8000: \SystemRoot\System32\DRIVERS\irda.sys
EE5BE000: \SystemRoot\System32\DRIVERS\ndisuio.sys
EE19B000: \SystemRoot\system32\drivers\wdmaud.sys
EE2F0000: \SystemRoot\system32\drivers\sysaudio.sys
EDF67000: \SystemRoot\System32\DRIVERS\mrxdav.sys
F7B62000: \SystemRoot\System32\Drivers\ParVdm.SYS
EDEF2000: \SystemRoot\system32\DRIVERS\eamon.sys
EDE78000: \SystemRoot\System32\DRIVERS\srv.sys
EDB8F000: \SystemRoot\System32\Drivers\HTTP.sys
ED843000: \SystemRoot\System32\Drivers\Fastfat.SYS
F78E6000: \SystemRoot\system32\DRIVERS\usbccgp.sys
F78FE000: \SystemRoot\system32\DRIVERS\HPZius12.sys
EE592000: \SystemRoot\system32\drivers\hpfxbulk.sys
F7906000: \SystemRoot\system32\drivers\HPFXGEN.SYS
EE1E0000: \SystemRoot\system32\DRIVERS\HPZid412.sys
EDA04000: \SystemRoot\system32\DRIVERS\Dot4Scan.sys
EDA18000: \SystemRoot\system32\DRIVERS\HPZipr12.sys
ED818000: \SystemRoot\system32\drivers\kmixer.sys
7C900000: \WINDOWS\system32\ntdll.dll
124 drivers detected.

C:\Documents and Settings\User>

What is strange, there is 4 running svchost.exe processes..
 
D

David H. Lipman

From: "SANTANDER" <santander@microsoft.news>

| Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB
| virus. My antivirus show some executable files where infected, aalso when
| browse web with Internet Explorer, windows periodically popup error mesages
| called RUNDLL:
| "Error loading C:\Windows\AppPatch\Jview.dll
| The specified module could not be found."
| (I use Firefox by default).

| After running whole computer scan, NOD32 isolated the infected files in a
| Quarantine folder. I removed the Jview.dll
| As far I know, Win32/Alman.NAD is infector, downloader and it has got his
| own driver. If it sit inside some legit process (IE), then it will add new
| registry key again. Then removing will be harder.
| Then I run HijackThis utility, and got the following report, I looked
| through the logfile, but I'm not sure which processess and keys are
| legitimate.

< snip >

| What is strange, there is 4 running svchost.exe processes..


First off do NOT post HJT logs to Usenet in general or the Microsoft hierarchy in
partcular. If you had bothered to ask, you would have been told this and you would have
been provided with a list of trusted expert forums where HJT logs are allowed and
encoraged.

Secondly, it is NOT the number of running copies of SVCHOST.EXE that is important. Having
4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is important is the
fully qualified path. SVCHOST.EXE running from %windir%\system32 is legitimate.
SVCHOST.EXE running from a location such as %windir% or C:\Program Files\Common
Files\System are illegitimate locations and are most likely malware.



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
S

SANTANDER

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O74iyxw1IHA.4492@TK2MSFTNGP02.phx.gbl...
> From: "SANTANDER" <santander@microsoft.news>
>
> | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with

Win32/Alman.NAB
> | virus. My antivirus show some executable files where infected, aalso

when
> | browse web with Internet Explorer, windows periodically popup error

mesages
> | called RUNDLL:
> | "Error loading C:\Windows\AppPatch\Jview.dll
> | The specified module could not be found."
> | (I use Firefox by default).
>
> | After running whole computer scan, NOD32 isolated the infected files in

a
> | Quarantine folder. I removed the Jview.dll
> | As far I know, Win32/Alman.NAD is infector, downloader and it has got

his
> | own driver. If it sit inside some legit process (IE), then it will add

new
> | registry key again. Then removing will be harder.
> | Then I run HijackThis utility, and got the following report, I looked
> | through the logfile, but I'm not sure which processess and keys are
> | legitimate.
>
> < snip >
>
> | What is strange, there is 4 running svchost.exe processes..
>
>
> First off do NOT post HJT logs to Usenet in general or the Microsoft

hierarchy in
> partcular. If you had bothered to ask, you would have been told this and

you would have
> been provided with a list of trusted expert forums where HJT logs are

allowed and
> encoraged.
>
> Secondly, it is NOT the number of running copies of SVCHOST.EXE that is

important. Having
> 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is

important is the
> fully qualified path. SVCHOST.EXE running from %windir%\system32 is

legitimate.
> SVCHOST.EXE running from a location such as %windir% or C:\Program

Files\Common
> Files\System are illegitimate locations and are most likely malware.
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe Format --> uncheck "Word wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post in

one of the below
> expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) and

Deckard's System Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
>

http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>

--------
Well, thanks for advices.

santander
 
S

SANTANDER

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O74iyxw1IHA.4492@TK2MSFTNGP02.phx.gbl...
> From: "SANTANDER" <santander@microsoft.news>
>
> | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with

Win32/Alman.NAB
> | virus. My antivirus show some executable files where infected, aalso

when
> | browse web with Internet Explorer, windows periodically popup error

mesages
> | called RUNDLL:
> | "Error loading C:\Windows\AppPatch\Jview.dll
> | The specified module could not be found."
> | (I use Firefox by default).
>
> | After running whole computer scan, NOD32 isolated the infected files in

a
> | Quarantine folder. I removed the Jview.dll
> | As far I know, Win32/Alman.NAD is infector, downloader and it has got

his
> | own driver. If it sit inside some legit process (IE), then it will add

new
> | registry key again. Then removing will be harder.
> | Then I run HijackThis utility, and got the following report, I looked
> | through the logfile, but I'm not sure which processess and keys are
> | legitimate.
>
> < snip >
>
> | What is strange, there is 4 running svchost.exe processes..
>
>
> First off do NOT post HJT logs to Usenet in general or the Microsoft

hierarchy in
> partcular. If you had bothered to ask, you would have been told this and

you would have
> been provided with a list of trusted expert forums where HJT logs are

allowed and
> encoraged.
>
> Secondly, it is NOT the number of running copies of SVCHOST.EXE that is

important. Having
> 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is

important is the
> fully qualified path. SVCHOST.EXE running from %windir%\system32 is

legitimate.
> SVCHOST.EXE running from a location such as %windir% or C:\Program

Files\Common
> Files\System are illegitimate locations and are most likely malware.
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe Format --> uncheck "Word wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post in

one of the below
> expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) and

Deckard's System Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
>

http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>

-----

This forums are absolutely useless, same as most of mentioned tolls like
Deckard's System Scanner, etc, etc. This "tools" just litter registry
settings and are are ineffective and useless.
Windows has "malicious software removal tool" but itts also absolutely
useless thing, and not working at all..
 
D

David H. Lipman

From: "SANTANDER" <santander@microsoft.news>


| This forums are absolutely useless, same as most of mentioned tolls like
| Deckard's System Scanner, etc, etc. This "tools" just litter registry
| settings and are are ineffective and useless.
| Windows has "malicious software removal tool" but itts also absolutely
| useless thing, and not working at all..

The tools are NOT useless. Somone with skills or training can interpret if you are
infected via the system load points. You don't have those skills thus you came to a faux
conclusion.

The forums are not useless as well. The forums have personnel who have the skills to
interpret the logs of the tools. Again a faux conclusion.

The MRT is an "on Demand' anti malware scanner and is geared to a limited list of malware.
While not the best of anti malware On Demand scanners, it does have a level of efficacy
and capability and is far from useless. The fact that you don't have malware targeted by
the MRT should not lead you to the faux conclusion "absolutely useless thing".

I'm sorry but you asked for assistance and I gave you assistance. It was bad enough that
you posted a HJT log without asking first but the additional claims of "uselessness" based
upon your limited skill sets means you are unwilling to take appropriate action. This is
unfortunate.

Plaese tear down that brick wall you have created in your mind!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
G

Geoff

On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news>
wrote:

>What is strange, there is 4 running svchost.exe processes..


Not strange at all. Svchost.exe is the service executive. It's the process
that starts service processes. (RPC, DNS, Auto update, windows audio, etc.)
There are several instances of it depending on the configuration of the
machine and the kinds of services that are started.

As for validating executables, see www.sysinternals.com for process
utilities like Process Explorer that can check for signed code from
Microsoft and others.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Be aware, not all Microsoft code is signed but they have been making great
strides in signing their code. Just be careful and don't delete a suspect
binary just because it's not signed.

Autoruns, another good tool from the same place also verifies signed code
and allows easy access to the registry keys and binary files.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Sysinternals was bought out and merged with Microsoft but Mark and Bryce
still develop the products.
 
S

SANTANDER

"Geoff" <geoff@invalid.invalid> wrote in message
news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...
> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news>
> wrote:
>
> >What is strange, there is 4 running svchost.exe processes..

>
> Not strange at all. Svchost.exe is the service executive. It's the process
> that starts service processes. (RPC, DNS, Auto update, windows audio,

etc.)
> There are several instances of it depending on the configuration of the
> machine and the kinds of services that are started.
>
> As for validating executables, see www.sysinternals.com for process
> utilities like Process Explorer that can check for signed code from
> Microsoft and others.
> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>
> Be aware, not all Microsoft code is signed but they have been making great
> strides in signing their code. Just be careful and don't delete a suspect
> binary just because it's not signed.
>
> Autoruns, another good tool from the same place also verifies signed code
> and allows easy access to the registry keys and binary files.
> http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
>
> Sysinternals was bought out and merged with Microsoft but Mark and Bryce
> still develop the products.

------------

Very helpful utilities. I want check drivers. I just run a console tool that
list all drivers installed in my system 124 drivers where detected. Does it
possible check whether all of the drivers are legitimate or not?

Thanks.
 
G

Geoff

On Sun, 29 Jun 2008 02:42:11 +0300, "SANTANDER" <santander@microsoft.news>
wrote:

>
>"Geoff" <geoff@invalid.invalid> wrote in message
>news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...
>> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news>
>> wrote:
>>
>> >What is strange, there is 4 running svchost.exe processes..

>>
>> Not strange at all. Svchost.exe is the service executive. It's the process
>> that starts service processes. (RPC, DNS, Auto update, windows audio,

>etc.)
>> There are several instances of it depending on the configuration of the
>> machine and the kinds of services that are started.
>>
>> As for validating executables, see www.sysinternals.com for process
>> utilities like Process Explorer that can check for signed code from
>> Microsoft and others.
>> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>>
>> Be aware, not all Microsoft code is signed but they have been making great
>> strides in signing their code. Just be careful and don't delete a suspect
>> binary just because it's not signed.
>>
>> Autoruns, another good tool from the same place also verifies signed code
>> and allows easy access to the registry keys and binary files.
>> http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
>>
>> Sysinternals was bought out and merged with Microsoft but Mark and Bryce
>> still develop the products.

>------------
>
>Very helpful utilities. I want check drivers. I just run a console tool that
>list all drivers installed in my system 124 drivers where detected. Does it
>possible check whether all of the drivers are legitimate or not?
>
>Thanks.


You're welcome.

It's very difficult to know for sure which drivers are legitimate. Autoruns
will verify signatures but if the publisher doesn't sign the code then this
method fails and you have to look into each driver and evaluate it
yourself. Many driver vendors don't sign their code. There is no sure tool
that I am aware of that will validate a driver automatically without some
kind of code signature. The Drivers tab of Autoruns will list all your
drivers.

As far as malware or viruses are concerned, your principle indicators will
be:

1. Strange behavior of computer.
2. Strange filename or location of executable.
3. Lack of publisher name.
4. Not signed.
5. Program or driver phones home or accesses TCP/IP.
6. Executable is compressed or obfuscated.
7. Multiple instances of the binary of the same length, same date/time
under different names in the system32/ or system32/drivers file with very
strange version information blocks.

You cannot effectively use the filename alone as an indicator.

Using Autoruns or Process Explorer you can search online (google) by
selecting the item and hitting ctrl-M. This presents a list of hits that
you can research. Very handy. Of course, some of what is written about some
of these files is written by non-experts or the occasional troll, so you
must judge what is reasonable, valid information.
 
D

David H. Lipman

From: "Geoff" <geoff@invalid.invalid>


| You're welcome.

| It's very difficult to know for sure which drivers are legitimate. Autoruns

< snip >

So VERY true. I have seen many instances of malware that have faked information in a DLL
to make it look like it was created by Microsoft. In addition, malware authors are now
digitally signing their malware to bypass the security of Vista.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
G

Geoff

On Sat, 28 Jun 2008 21:07:55 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Geoff" <geoff@invalid.invalid>
>
>
>| You're welcome.
>
>| It's very difficult to know for sure which drivers are legitimate. Autoruns
>
>< snip >
>
>So VERY true. I have seen many instances of malware that have faked information in a DLL
>to make it look like it was created by Microsoft. In addition, malware authors are now
>digitally signing their malware to bypass the security of Vista.


Hi David,

I had heard of this but have not encountered it yet. I don't deal with it
daily. If code can be signed and validated against the key then the key
process is hopelessly broken. If malware can be signed and the perpetrators
not identified then the certificate process is worthless.

P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few
days just for fun. :) I finally ended up pulling the HDD and scanning it
from mine as a 3rd disk. Deep scanning and purging wasn't working when it
was the boot partition in the notebook.
 
D

David H. Lipman

From: "Geoff" <geoff@invalid.invalid>



| Hi David,

| I had heard of this but have not encountered it yet. I don't deal with it
| daily. If code can be signed and validated against the key then the key
| process is hopelessly broken. If malware can be signed and the perpetrators
| not identified then the certificate process is worthless.

| P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few
| days just for fun. :) I finally ended up pulling the HDD and scanning it
| from mine as a 3rd disk. Deep scanning and purging wasn't working when it
| was the boot partition in the notebook.

Example of digitally signed malware:
http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
G

Geoff

On Sun, 29 Jun 2008 07:12:29 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Geoff" <geoff@invalid.invalid>
>
>
>
>| Hi David,
>
>| I had heard of this but have not encountered it yet. I don't deal with it
>| daily. If code can be signed and validated against the key then the key
>| process is hopelessly broken. If malware can be signed and the perpetrators
>| not identified then the certificate process is worthless.
>
>| P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few
>| days just for fun. :) I finally ended up pulling the HDD and scanning it
>| from mine as a 3rd disk. Deep scanning and purging wasn't working when it
>| was the boot partition in the notebook.
>
>Example of digitally signed malware:
>http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html


They stopped short of the certification path. One more pic of that tab
would have helped. This looks like a simple individual code sign cert that
you can generate as an individual on your PC. The fact it is individual and
OK means either it was imported and trusted or the root cert. authority
cross-signed it and it passed that check. The UTN (AddTrust) cross sig
indicates the latter.

I'd say AddTrust's root certificate needs to be revoked by their cross
signers. There are so many CA's now it's impossible to tell the good ones
from the bad ones. I even have expired certs from Microsoft that expired in
2006 and Verisign certs that expired in 2002 and 2004. If UTN signed that
cert without verifying identity and performing due diligence then they
deserve to have their authority revoked, IMO. When CA's can't do business
because they didn't have proper procedures in place, then reform will come.
The examples of Verisign's incompetence when they were induced to sign keys
from the fraudulent Microsoft account shows this.

Personally, I detest ActiveX, Java, JavaScript and the whole concept of
client side BHO's published indiscriminately. The idea that one can't read
a web document without them is abhorrent. Just visit any big commercial web
domain without these devices and see what you don't see. :)

The result of all this indiscriminate meta-data is universal trust or
blissful ignorance of the implications of all of it running on your
computer. Net result, malware or spyware at every mouse click or someone
putting one more piece of trash on your system in the name of "content".
 
D

David H. Lipman

From: "Geoff" <geoff@invalid.invalid>


>>| Hi David,


>>| I had heard of this but have not encountered it yet. I don't deal with it
>>| daily. If code can be signed and validated against the key then the key
>>| process is hopelessly broken. If malware can be signed and the perpetrators
>>| not identified then the certificate process is worthless.


>>| P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few
>>| days just for fun. :) I finally ended up pulling the HDD and scanning it
>>| from mine as a 3rd disk. Deep scanning and purging wasn't working when it
>>| was the boot partition in the notebook.


>>Example of digitally signed malware:
>>http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html


| They stopped short of the certification path. One more pic of that tab
| would have helped. This looks like a simple individual code sign cert that
| you can generate as an individual on your PC. The fact it is individual and
| OK means either it was imported and trusted or the root cert. authority
| cross-signed it and it passed that check. The UTN (AddTrust) cross sig
| indicates the latter.

| I'd say AddTrust's root certificate needs to be revoked by their cross
| signers. There are so many CA's now it's impossible to tell the good ones
| from the bad ones. I even have expired certs from Microsoft that expired in
| 2006 and Verisign certs that expired in 2002 and 2004. If UTN signed that
| cert without verifying identity and performing due diligence then they
| deserve to have their authority revoked, IMO. When CA's can't do business
| because they didn't have proper procedures in place, then reform will come.
| The examples of Verisign's incompetence when they were induced to sign keys
| from the fraudulent Microsoft account shows this.

| Personally, I detest ActiveX, Java, JavaScript and the whole concept of
| client side BHO's published indiscriminately. The idea that one can't read
| a web document without them is abhorrent. Just visit any big commercial web
| domain without these devices and see what you don't see. :)

| The result of all this indiscriminate meta-data is universal trust or
| blissful ignorance of the implications of all of it running on your
| computer. Net result, malware or spyware at every mouse click or someone
| putting one more piece of trash on your system in the name of "content".

That's was just a publicly available sample and the blog was geared twoward the greeting
card phishing end. I have see numerous sampples now. Some signed by Comodo. Alebeit,
Melih has had the certivicate revoke upon identification.

The point is that it can be difficult to "trust" a given EXE/DLL and the information in a
binary's information may be falsified. So far I have only seen falsifying a Microsoft
origin but any "trusted" company coould be impersonated.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
S

SANTANDER

"Geoff" <geoff@invalid.invalid> wrote in message
news:6ukd649p53erjj0f4r4km9sn53mkb6njbt@4ax.com...
> On Sun, 29 Jun 2008 02:42:11 +0300, "SANTANDER" <santander@microsoft.news>
> wrote:
>
>>
>>"Geoff" <geoff@invalid.invalid> wrote in message
>>news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...
>>> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER"
>>> <santander@microsoft.news>
>>> wrote:
>>>
>>> >What is strange, there is 4 running svchost.exe processes..
>>>
>>> Not strange at all. Svchost.exe is the service executive. It's the
>>> process
>>> that starts service processes. (RPC, DNS, Auto update, windows audio,

>>etc.)
>>> There are several instances of it depending on the configuration of the
>>> machine and the kinds of services that are started.
>>>
>>> As for validating executables, see www.sysinternals.com for process
>>> utilities like Process Explorer that can check for signed code from
>>> Microsoft and others.
>>> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>>>
>>> Be aware, not all Microsoft code is signed but they have been making
>>> great
>>> strides in signing their code. Just be careful and don't delete a
>>> suspect
>>> binary just because it's not signed.
>>>
>>> Autoruns, another good tool from the same place also verifies signed
>>> code
>>> and allows easy access to the registry keys and binary files.
>>> http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
>>>
>>> Sysinternals was bought out and merged with Microsoft but Mark and Bryce
>>> still develop the products.

>>------------
>>
>>Very helpful utilities. I want check drivers. I just run a console tool
>>that
>>list all drivers installed in my system 124 drivers where detected. Does
>>it
>>possible check whether all of the drivers are legitimate or not?
>>
>>Thanks.

>
> You're welcome.
>
> It's very difficult to know for sure which drivers are legitimate.
> Autoruns
> will verify signatures but if the publisher doesn't sign the code then
> this
> method fails and you have to look into each driver and evaluate it
> yourself. Many driver vendors don't sign their code. There is no sure tool
> that I am aware of that will validate a driver automatically without some
> kind of code signature. The Drivers tab of Autoruns will list all your
> drivers.
>
> As far as malware or viruses are concerned, your principle indicators will
> be:
>
> 1. Strange behavior of computer.
> 2. Strange filename or location of executable.
> 3. Lack of publisher name.
> 4. Not signed.
> 5. Program or driver phones home or accesses TCP/IP.
> 6. Executable is compressed or obfuscated.
> 7. Multiple instances of the binary of the same length, same date/time
> under different names in the system32/ or system32/drivers file with very
> strange version information blocks.
>
> You cannot effectively use the filename alone as an indicator.
>
> Using Autoruns or Process Explorer you can search online (google) by
> selecting the item and hitting ctrl-M. This presents a list of hits that
> you can research. Very handy. Of course, some of what is written about
> some
> of these files is written by non-experts or the occasional troll, so you
> must judge what is reasonable, valid information.

----------------

Just tried Process Explorer, does it show hidden DLLs that possibly can
loaded inside explorer.exe process?

Some processes displayed by Process Explorer not fully clear:
process PID Description

System 4

what is 'System' process with PID 4?
Process Explorer show System Idle Process take 98.46 percent. Why so many?

Is there similar security tools that can work on win98?

Thanks.
 
G

Geoff

On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news>
wrote:

>
>Just tried Process Explorer, does it show hidden DLLs that possibly can
>loaded inside explorer.exe process?
>


It shows every process. AFAIK, nothing can hide from it.

>Some processes displayed by Process Explorer not fully clear:
>process PID Description
>
>System 4
>
>what is 'System' process with PID 4?


System is the Windows NT kernel. Don't poke at it. It is essential for
proper operation of your system. System is the owner of all other processes
and drivers in the computer.

>Process Explorer show System Idle Process take 98.46 percent. Why so many?
>


Every multitasking system has an Idle process. This is the task that is run
when other tasks are not running. It is the lowest priority task. It gets
all CPU time remaining that is not "other processes". Windows NT Idle
process runs when all other scheduled processes have returned control to
the OS. It does some very basic Windows housekeeping and then a halt
instruction. The CPU wakes up and exits the idle process on the next kernel
interrupt and proceeds to other tasks.

>Is there similar security tools that can work on win98?
>


Process Explorer works on Windows 98. I don't use 98 anymore so I don't
know what is available.
 
S

SANTANDER

"Geoff" <geoff@invalid.invalid> wrote in message
news:24rh64ldt1kbleu6jmp4dgrkrse149pa3u@4ax.com...
> On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news>
> wrote:
>
>>
>>Just tried Process Explorer, does it show hidden DLLs that possibly can
>>loaded inside explorer.exe process?
>>

>
> It shows every process. AFAIK, nothing can hide from it.
>
>>Some processes displayed by Process Explorer not fully clear:
>>process PID Description
>>
>>System 4
>>
>>what is 'System' process with PID 4?

>
> System is the Windows NT kernel. Don't poke at it. It is essential for
> proper operation of your system. System is the owner of all other
> processes
> and drivers in the computer.
>
>>Process Explorer show System Idle Process take 98.46 percent. Why so many?
>>

>
> Every multitasking system has an Idle process. This is the task that is
> run
> when other tasks are not running. It is the lowest priority task. It gets
> all CPU time remaining that is not "other processes". Windows NT Idle
> process runs when all other scheduled processes have returned control to
> the OS. It does some very basic Windows housekeeping and then a halt
> instruction. The CPU wakes up and exits the idle process on the next
> kernel
> interrupt and proceeds to other tasks.
>
>>Is there similar security tools that can work on win98?
>>

>
> Process Explorer works on Windows 98. I don't use 98 anymore so I don't
> know what is available.

--------------

just to clarify, when show Task Manager show CPU 98, it seems not the
percents, CPU Usage shown below is 7-8%.
Process Explorer does NOT work on Windows 98, I tried (though I read
somewhere that it works on Win98). When executed, it show the timer some
time(that take some pause more than normally), but no GUI shown. I just end
it via Task manager.
 
G

Geoff

On Mon, 30 Jun 2008 19:05:49 +0300, "SANTANDER" <santander@microsoft.news>
wrote:

>just to clarify, when show Task Manager show CPU 98, it seems not the
>percents, CPU Usage shown below is 7-8%.


Utilization is measured as any process running that is not Idle time.
IdleTime + SumOfAllProcessTime = 100%

Percent of time spent in idle is non-utilized time but Taskman and PE will
show the percentage of time spent in idle vs. other tasks.

>Process Explorer does NOT work on Windows 98, I tried (though I read
>somewhere that it works on Win98). When executed, it show the timer some
>time(that take some pause more than normally), but no GUI shown. I just end
>it via Task manager.


News to me. PE's help file says it supports all OS but maybe that only
applied for older versions of PE and they never updated the help file or
perhaps there is a different download version for 9x/Me.

From help:

"Process Explorer does not require administrative privileges to run and
works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server
2003, Windows Vista, Windows Server 2008 and on the x64 version of 64-bit
Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008."
 
D

David H. Lipman

From: "Geoff" <geoff@invalid.invalid>

| On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news>
| wrote:


>>Just tried Process Explorer, does it show hidden DLLs that possibly can
>>loaded inside explorer.exe process?



| It shows every process. AFAIK, nothing can hide from it.


That is NOT true. Many forms of malware can use low level Win32/Win64 programming
constructs that can indeed hide the process form usitlities like Process Explorer. This
is where a anti RootKit utility such as Gmer is useful. Additionally, Process Explorer
will not identify files that are stored using the Alternate Data Streams (ADS)
capabailities of NTFS.

< snip >

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
G

Geoff

On Mon, 30 Jun 2008 16:54:08 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Geoff" <geoff@invalid.invalid>
>
>| On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news>
>| wrote:
>
>
>>>Just tried Process Explorer, does it show hidden DLLs that possibly can
>>>loaded inside explorer.exe process?

>
>
>| It shows every process. AFAIK, nothing can hide from it.
>
>
>That is NOT true. Many forms of malware can use low level Win32/Win64 programming
>constructs that can indeed hide the process form usitlities like Process Explorer. This
>is where a anti RootKit utility such as Gmer is useful. Additionally, Process Explorer
>will not identify files that are stored using the Alternate Data Streams (ADS)
>capabailities of NTFS.
>

Well, if you have specific info I'd like to see it. If it has a PID, it can
be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the
same time when he found the Sony rootkit.

As for ADS, a process is not a file,to which part of PE are you referring
to about hiding a process in an ADS?
 
D

David H. Lipman

From: "Geoff" <geoff@invalid.invalid>


| Well, if you have specific info I'd like to see it. If it has a PID, it can
| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the
| same time when he found the Sony rootkit.

| As for ADS, a process is not a file,to which part of PE are you referring
| to about hiding a process in an ADS?

This is an area where I fall off the ledge. I still have much to learn. However it is my
understanding the following are used to hide processes...

ZwCreateThread
ZwOpenProcess
ZwOpenThread
ZwTerminateProcess
ZwWriteVirtualMemory

The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer.

You are correct in that ADS refers to how a file is stored and not a process. However,
you can not tell from Process Explorer if a file is executed from an Alternate Data
Stream. SVCHOST.EXE executed as an ADS is most certainly malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 

Similar threads

B
Replies
0
Views
276
BrunoMendes de Oliveira
B
K
Replies
0
Views
511
kate.v
K
Back
Top Bottom